Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
c2ba7d20
Commit
c2ba7d20
authored
Jun 03, 2021
by
Thong Kuah
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Revert "Merge branch 'fix-csp-issue' into 'master'"
This reverts merge request !62615
parent
35ce121f
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
2 additions
and
39 deletions
+2
-39
app/helpers/gitlab_script_tag_helper.rb
app/helpers/gitlab_script_tag_helper.rb
+0
-8
lib/gitlab/content_security_policy/config_loader.rb
lib/gitlab/content_security_policy/config_loader.rb
+1
-7
spec/helpers/gitlab_script_tag_helper_spec.rb
spec/helpers/gitlab_script_tag_helper_spec.rb
+0
-7
spec/helpers/webpack_helper_spec.rb
spec/helpers/webpack_helper_spec.rb
+1
-2
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
.../lib/gitlab/content_security_policy/config_loader_spec.rb
+0
-15
No files found.
app/helpers/gitlab_script_tag_helper.rb
View file @
c2ba7d20
...
@@ -21,12 +21,4 @@ module GitlabScriptTagHelper
...
@@ -21,12 +21,4 @@ module GitlabScriptTagHelper
super
super
end
end
def
preload_link_tag
(
source
,
options
=
{})
# Chrome requires a nonce, see https://gitlab.com/gitlab-org/gitlab/-/issues/331810#note_584964908
# It's likely to be a browser bug, but we need to work around it anyway
options
[
:nonce
]
=
content_security_policy_nonce
super
end
end
end
lib/gitlab/content_security_policy/config_loader.rb
View file @
c2ba7d20
...
@@ -24,7 +24,7 @@ module Gitlab
...
@@ -24,7 +24,7 @@ module Gitlab
'media_src'
=>
"'self'"
,
'media_src'
=>
"'self'"
,
'script_src'
=>
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com"
,
'script_src'
=>
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com"
,
'style_src'
=>
"'self' 'unsafe-inline'"
,
'style_src'
=>
"'self' 'unsafe-inline'"
,
'worker_src'
=>
"'self'
blob: data:
"
,
'worker_src'
=>
"'self'"
,
'object_src'
=>
"'none'"
,
'object_src'
=>
"'none'"
,
'report_uri'
=>
nil
'report_uri'
=>
nil
}
}
...
@@ -37,7 +37,6 @@ module Gitlab
...
@@ -37,7 +37,6 @@ module Gitlab
allow_webpack_dev_server
(
settings_hash
)
if
Rails
.
env
.
development?
allow_webpack_dev_server
(
settings_hash
)
if
Rails
.
env
.
development?
allow_cdn
(
settings_hash
)
if
ENV
[
'GITLAB_CDN_HOST'
].
present?
allow_cdn
(
settings_hash
)
if
ENV
[
'GITLAB_CDN_HOST'
].
present?
allow_snowplow
(
settings_hash
)
if
Gitlab
::
CurrentSettings
.
snowplow_enabled?
settings_hash
settings_hash
end
end
...
@@ -80,11 +79,6 @@ module Gitlab
...
@@ -80,11 +79,6 @@ module Gitlab
append_to_directive
(
settings_hash
,
'script_src'
,
cdn_host
)
append_to_directive
(
settings_hash
,
'script_src'
,
cdn_host
)
append_to_directive
(
settings_hash
,
'style_src'
,
cdn_host
)
append_to_directive
(
settings_hash
,
'style_src'
,
cdn_host
)
append_to_directive
(
settings_hash
,
'font_src'
,
cdn_host
)
end
def
self
.
allow_snowplow
(
settings_hash
)
append_to_directive
(
settings_hash
,
'connect_src'
,
Gitlab
::
CurrentSettings
.
snowplow_collector_hostname
)
end
end
def
self
.
append_to_directive
(
settings_hash
,
directive
,
text
)
def
self
.
append_to_directive
(
settings_hash
,
directive
,
text
)
...
...
spec/helpers/gitlab_script_tag_helper_spec.rb
View file @
c2ba7d20
...
@@ -41,11 +41,4 @@ RSpec.describe GitlabScriptTagHelper do
...
@@ -41,11 +41,4 @@ RSpec.describe GitlabScriptTagHelper do
expect
(
helper
.
javascript_tag
(
'// ignored'
,
type:
'application/javascript'
)
{
'alert(1)'
}.
to_s
).
to
eq
tag_with_nonce_and_type
expect
(
helper
.
javascript_tag
(
'// ignored'
,
type:
'application/javascript'
)
{
'alert(1)'
}.
to_s
).
to
eq
tag_with_nonce_and_type
end
end
end
end
describe
'#preload_link_tag'
do
it
'returns a link tag with a nonce'
do
expect
(
helper
.
preload_link_tag
(
'https://example.com/script.js'
).
to_s
)
.
to
eq
"<link rel=
\"
preload
\"
href=
\"
https://example.com/script.js
\"
as=
\"
script
\"
type=
\"
text/javascript
\"
nonce=
\"
noncevalue
\"
>"
end
end
end
end
spec/helpers/webpack_helper_spec.rb
View file @
c2ba7d20
...
@@ -15,7 +15,6 @@ RSpec.describe WebpackHelper do
...
@@ -15,7 +15,6 @@ RSpec.describe WebpackHelper do
describe
'#webpack_preload_asset_tag'
do
describe
'#webpack_preload_asset_tag'
do
before
do
before
do
allow
(
Gitlab
::
Webpack
::
Manifest
).
to
receive
(
:asset_paths
).
and_return
([
asset_path
])
allow
(
Gitlab
::
Webpack
::
Manifest
).
to
receive
(
:asset_paths
).
and_return
([
asset_path
])
allow
(
helper
).
to
receive
(
:content_security_policy_nonce
).
and_return
(
'noncevalue'
)
end
end
it
'preloads the resource by default'
do
it
'preloads the resource by default'
do
...
@@ -23,7 +22,7 @@ RSpec.describe WebpackHelper do
...
@@ -23,7 +22,7 @@ RSpec.describe WebpackHelper do
output
=
helper
.
webpack_preload_asset_tag
(
source
)
output
=
helper
.
webpack_preload_asset_tag
(
source
)
expect
(
output
).
to
eq
(
"<link rel=
\"
preload
\"
href=
\"
#{
asset_path
}
\"
as=
\"
script
\"
type=
\"
text/javascript
\"
nonce=
\"
noncevalue
\"
>"
)
expect
(
output
).
to
eq
(
"<link rel=
\"
preload
\"
href=
\"
#{
asset_path
}
\"
as=
\"
script
\"
type=
\"
text/javascript
\"
>"
)
end
end
it
'prefetches the resource if explicitly asked'
do
it
'prefetches the resource if explicitly asked'
do
...
...
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
View file @
c2ba7d20
...
@@ -49,21 +49,6 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
...
@@ -49,21 +49,6 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect
(
directives
[
'script_src'
]).
to
eq
(
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com"
)
expect
(
directives
[
'script_src'
]).
to
eq
(
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com"
)
expect
(
directives
[
'style_src'
]).
to
eq
(
"'self' 'unsafe-inline' https://example.com"
)
expect
(
directives
[
'style_src'
]).
to
eq
(
"'self' 'unsafe-inline' https://example.com"
)
expect
(
directives
[
'font_src'
]).
to
eq
(
"'self' https://example.com"
)
end
end
context
'when snowplow is configured'
do
before
do
stub_application_setting
(
snowplow_enabled:
true
)
stub_application_setting
(
snowplow_collector_hostname:
'snowplow.example.com'
)
end
it
'adds snowplow to CSP'
do
settings
=
described_class
.
default_settings_hash
directives
=
settings
[
'directives'
]
expect
(
directives
[
'connect_src'
]).
to
eq
(
"'self' snowplow.example.com"
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment